– %HOME%\Local Settings\Application Data\0535049569854.xxe – %TEMPDIR%\captcha.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file. – %temporary internet files%\v2captcha21[1].exe Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.19456.86

– %malware execution directory%\SelfDel.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file. – %temporary internet files%\loader[1].exe Further investigation pointed out that this file is malware, too. Detected as: TR/Dropper.Gen

– %drive%\1.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file. – %temporary internet files%\ws[1].exe Further investigation pointed out that this file is malware, too. Detected as: BDS/Backdoor.Gen